25.1.7_4-amd64 - Unbound DNS started responding SERVFAIL to clients.

[Seattle2k]

Versions
OPNsense 25.1.7_4-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16


I updated to 25.1.7 last week without any problems. However, this morning, began getting a lot of NXDOMAIN errors in browsers.
nslookup from clients to my OPNSense's LAN IP confirmed OPNsense not responding to queries. nslookup for the same domains, to other DNS servers worked fine.
I rebooted the OPNSense system and the problem went away for a few hours.

When the problem returned, I restarted the Unbound service. This resolved the problem for less than an hour.  I restarted Unbound several more times, only for the SERVFAILs to soon return within minutes.


Here are some examples of Unbound logs I grabbed:
2025-07-15T11:13:22-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:09:30-07:00    Error    unbound    [10659:0] error: SERVFAIL <s.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:02:12-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T11:01:34-07:00    Error    unbound    [10659:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:0] error: SERVFAIL <www.youtube.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T10:38:27-07:00    Error    unbound    [75546:1] error: SERVFAIL <www.youtube.com. A IN>: exceeded the maximum number of sends


2025-07-15T22:08:39-07:00    Error    unbound    [24263:1] error: SERVFAIL <datarouter.ol.epicgames.com. A IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. HTTPS IN>: exceeded the maximum number of sends   
2025-07-15T22:05:44-07:00    Error    unbound    [58101:1] error: SERVFAIL <sentry.goquiq.com. A IN>: exceeded the maximum number of sends   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <o293668.ingest.sentry.io. HTTPS IN>: exceeded the maximum nameserver nxdomains   
2025-07-15T22:05:43-07:00    Error    unbound    [58101:1] error: SERVFAIL <ping.chartbeat.net. A IN>: exceeded the maximum number of sends


===========================================================================
LAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
135    20:43:52.447220    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
136    20:43:52.602864    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
137    20:43:52.613299    192.168.1.104    192.168.1.2    DNS    75    Standard query 0xf167 A www.youtube.com
138    20:43:52.614067    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0xf167 Server failure A www.youtube.com
139    20:43:52.624176    192.168.1.104    192.168.1.2    DNS    75    Standard query 0x6ddf A www.youtube.com
140    20:43:52.625145    192.168.1.2    192.168.1.104    DNS    75    Standard query response 0x6ddf Server failure A www.youtube.com
utube.com
Destination    No.    Time    Source    Protocol    Length    Info
192.168.1.2    976    20:44:08.158536    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    977    20:44:08.162718    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    978    20:44:08.165670    192.168.1.104    DNS    72    Standard query 0x3faf A www.dell.com
192.168.1.104    979    20:44:08.168277    192.168.1.2    DNS    72    Standard query response 0x3faf Server failure A www.dell.com
192.168.1.2    982    20:44:08.182625    192.168.1.104    DNS    72    Standard query 0x23a1 A www.dell.com
192.168.1.2    983    20:44:08.182984    192.168.1.104    DNS    72    Standard query 0xa140 HTTPS www.dell.com
192.168.1.104    985    20:44:08.183844    192.168.1.2    DNS    72    Standard query response 0x23a1 Server failure A www.dell.com
192.168.1.2    989    20:44:08.186721    192.168.1.104    DNS    72    Standard query 0x8fc0 A www.dell.com
192.168.1.104    991    20:44:08.187376    192.168.1.2    DNS    72    Standard query response 0x8fc0 Server failure A www.dell.com
192.168.1.104    994    20:44:08.189024    192.168.1.2    DNS    72    Standard query response 0xa140 Server failure HTTPS www.dell.com

^^ (client: 192.168.1.104, OPNSense LAN interface: 192.168.1.2)



WAN interface capture conducted on OPNSense:
No.    Time    Source    Destination    Protocol    Length    Info
126    20:43:52.448786 my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
127    20:43:52.448869    my_public_ip    216.239.38.10    DNS    86    Standard query 0xc14f A www.youtube.com OPT
128    20:43:52.514597    216.239.38.10    my_public_ip    DNS    248    Standard query response 0xc14f A www.youtube.com CNAME youtube-ui.l.google.com A 142.250.69.174 A 142.251.33.78 A 142.250.217.78 A 142.250.217.110 A 142.251.215.238 A 142.250.73.78 A 142.250.73.110 A 142.250.73.142 OPT

(nothing appeared on WAN side, when client was querying for www.dell.com)

(note: I realize the timestamps in the packet captures and logs don't match up, that was my mistake..I'm tired.)

I rolled back to the following snapshot 1 hour ago, and problem has not returned.
OPNsense 25.1.5_5-amd64
FreeBSD 14.2-RELEASE-p2
OpenSSL 3.0.16
(Unbound 1.22.0_1)